Easy VPN connection with remote side behind NAT device

Unanswered Question
Marwan ALshawi Thu, 08/07/2008 - 06:24

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

shanevolpe Thu, 10/02/2008 - 06:43

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

Marwan ALshawi Thu, 10/02/2008 - 06:50

if u case like


internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA


u need the folling ports opned and nated staticly

esp

udp 500

and mybe udp 4500

to get the tunnel established


if helpful Rate

singhsaju Fri, 10/03/2008 - 09:13

Hi,

Can you enable NAT-T globally on both end ASAs and then check .



"isakmp nat-traversal 20 "



http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1052899



When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.


HTH

Saju

Pls rate helpful posts

Actions

This Discussion